From c8f2d55acf79678801bff0786049451b595563b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
Date: Tue, 30 Jun 2020 14:24:12 +0200
Subject: [PATCH 1/2] rbtdb: cleanup_dead_nodes should ignore alive nodes on
 the deadlist

---
 lib/dns/rbtdb.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 87fbdb317b..c0b3479684 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1914,15 +1914,16 @@ cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
 		ISC_LIST_UNLINK(rbtdb->deadnodes[bucketnum], node, deadlink);
 
 		/*
-		 * Since we're holding a tree write lock, it should be
-		 * impossible for this node to be referenced by others.
-		 *
-		 * decrement_reference may not have tested node->down, as
-		 * the tree_lock was not held, before adding the node to
-		 * deadnodes so we test it here.
+		 * We might have reactivated this node without a tree write
+		 * lock, so we couldn't remove this node from deadnodes then
+		 * and we have to do it now.
 		 */
-		INSIST(isc_refcount_current(&node->references) == 0 &&
-		       node->data == NULL);
+		if (isc_refcount_current(&node->references) != 0 ||
+		    node->data != NULL) {
+			node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
+			count--;
+			continue;
+		}
 
 		if (is_leaf(node) && rbtdb->task != NULL) {
 			send_to_prune_tree(rbtdb, node, isc_rwlocktype_write);

From 4c12709da49a889614376f5e8e6ea0ecfcd55051 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 1 Jul 2020 15:07:57 +0200
Subject: [PATCH 2/2] Add CHANGES and release note for #1968

---
 CHANGES                     | 4 ++++
 doc/notes/notes-current.rst | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/CHANGES b/CHANGES
index c2509400b7..c5f6fd79de 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5455.	[bug]		`named` could crash when cleaning dead nodes
+			in lib/dns/rbtdb.c that have been reused meanwhile.
+			[GL #1968]
+
 5454.	[bug]		Address a startup crash happening when server is
 			under load and root zone is not yet loaded. [GL #1862]
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index bd030087bd..9ff620303a 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -68,3 +68,6 @@ Bug Fixes
 
 - Fix assertion failure when server is under load and root zone is not yet
   loaded. [GL #1862]
+
+- ``named`` could crash when cleaning dead nodes in ``lib/dns/rbtdb.c`` that
+  have been reused meanwhile.  [GL #1968]